These difficulties were certainly predictable. Something pretty annoying for anyone working in security (yours included btw) is the fact that, ideally, security mechanisms should be *extremely* adaptable both to users needs and to the computer environment.
Such an high need of adaptability never stopped to strike me for more than a decadeof work in the field; and now makes me more and more wonder if it would not be wiser to design an adaptable system from the beginning than to try to define a complete security policy. (Note that I have also evolved with time from desiring strong and robust security properties to hoping for acceptable minimisation of risk at the right place and intrusion tolerance in salvageable areas.)
However, this viewpoint evolution is only apparently negative as it also involved a lot of fruitful listening to real end users of "secure" systems.
As a practical example, Linus apparently does not want to enter a password every time to install a printer. But maybe he would *like* to enter a password once in order to deactivate printer install protection.
Defining the "right"(tm) security policy not only involves a lot of technical or organizational know-how, but it also implies that there exist a very powerful authority somewhere that can legitimately impose fixed rules on an entire computer system for its whole lifetime.
Maybe such an authority simply does not exist for general common issues .
So, why not try instead to rely on the available authorities at the time of the decision? At install time, ask the right question for defaults. Take the opportunity of a (by default)-priviledged operation to obtain more information about the security rules the user wants in the system on this kind of action. And then, record in detail and reliably these *decisions* in order to explain them very precisely later . The involved users will be accountable, not the security policy designer (which will always be culprit by default).
Well maybe I should put more work on a real design and try to write a specification in order to check (at least for myself) if it's realistic. But I hope you get the idea, and thanks for reading up to here. :-)
 Such an authority may exist, but in civilian systems maybe only at the core of something like a (criminal) judicial system. Amusing, but not something common. ("Computer, this is policed, I have a warrant; decipher all your disk. You are allowed to start lawyerd concurrently.")
 "I accept p2pd connections because X explicitly told me to do it like this on 2012-01-13 11:13 and entered the admin password 3 times to force me to do it. That admin password had been selected at install time 2 years ago and only used 1 time since then, so it thought it would be enough as a proof that it was the legitimate owner."